1 files changed, 0 insertions, 56 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
deleted file mode 100644
index e46ce436e1..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-Upstream-Status: Backport
-Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
-From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 2 May 2015 19:23:04 +0300
-Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment
- reassembly
-The remaining number of bytes in the message could be smaller than the
-Total-Length field size, so the length needs to be explicitly checked
-prior to reading the field and decrementing the len variable. This could
-have resulted in the remaining length becoming negative and interpreted
-as a huge positive integer.
-In addition, check that there is no already started fragment in progress
-before allocating a new buffer for reassembling fragments. This avoid a
-potential memory leak when processing invalid message.
-Signed-off-by: Jouni Malinen <j@w1.fi>
---
- src/eap_peer/eap_pwd.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index a629437..1d2079b 100644
--- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
-         * if it's the first fragment there'll be a length field
-         */
-        if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
-+               if (len < 2) {
-+                       wpa_printf(MSG_DEBUG,
-+                                  "EAP-pwd: Frame too short to contain Total-Length field");
-+                       ret->ignore = TRUE;
-+                       return NULL;
-+               }
-                tot_len = WPA_GET_BE16(pos);
-                wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
-                           "total length = %d", tot_len);
-                if (tot_len > 15000)
-                        return NULL;
-+               if (data->inbuf) {
-+                       wpa_printf(MSG_DEBUG,
-+                                  "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
-+                       ret->ignore = TRUE;
-+                       return NULL;
-+               }
-                data->inbuf = wpabuf_alloc(tot_len);
-                if (data->inbuf == NULL) {
-                        wpa_printf(MSG_INFO, "Out of memory to buffer "
-- 
-1.9.1

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch deleted file mode 100644 index e46ce436e1..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch +++ /dev/null
@@ -1,56 +0,0 @@
1	Upstream-Status: Backport
2
3	Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
4
5	From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001
6	From: Jouni Malinen <j@w1.fi>
7	Date: Sat, 2 May 2015 19:23:04 +0300
8	Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment
9	reassembly
10
11	The remaining number of bytes in the message could be smaller than the
12	Total-Length field size, so the length needs to be explicitly checked
13	prior to reading the field and decrementing the len variable. This could
14	have resulted in the remaining length becoming negative and interpreted
15	as a huge positive integer.
16
17	In addition, check that there is no already started fragment in progress
18	before allocating a new buffer for reassembling fragments. This avoid a
19	potential memory leak when processing invalid message.
20
21	Signed-off-by: Jouni Malinen <j@w1.fi>
22	---
23	src/eap_peer/eap_pwd.c \| 12 ++++++++++++
24	1 file changed, 12 insertions(+)
25
26	diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
27	index a629437..1d2079b 100644
28	--- a/src/eap_peer/eap_pwd.c
29	+++ b/src/eap_peer/eap_pwd.c
30	@@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm sm, void priv, struct eap_method_ret *ret,
31	* if it's the first fragment there'll be a length field
32	*/
33	if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
34	+ if (len < 2) {
35	+ wpa_printf(MSG_DEBUG,
36	+ "EAP-pwd: Frame too short to contain Total-Length field");
37	+ ret->ignore = TRUE;
38	+ return NULL;
39	+ }
40	tot_len = WPA_GET_BE16(pos);
41	wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
42	"total length = %d", tot_len);
43	if (tot_len > 15000)
44	return NULL;
45	+ if (data->inbuf) {
46	+ wpa_printf(MSG_DEBUG,
47	+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
48	+ ret->ignore = TRUE;
49	+ return NULL;
50	+ }
51	data->inbuf = wpabuf_alloc(tot_len);
52	if (data->inbuf == NULL) {
53	wpa_printf(MSG_INFO, "Out of memory to buffer "
54	--
55	1.9.1
56